Method and system for identifying an authorized individual by means of unpredictable single-use passwords

ABSTRACT

A method is described for the identification of a party authorised to have the benefit of a service delivered by a provider party via a telematics network, in which the provider party and each user party are connected to the network by means of a respective electronic communications and processing system (S, C), and the provider party requests a temporary password (PWD) identifying the user party to allow access to the services delivered. The method is characterised in that it involves autonomous execution of a procedure for calculating the password (PWD) in the processing systems (S, C) of both parties on the basis of predetermined algorithms, the above-mentioned calculating procedure comprising the operations of: generating a first string of characters (N30) by means of a first pre-established algorithm (ALGN30), on the basis of a random number (RND) and a hidden dynamic variable (n; p) not transmitted over the network, but obtained by the processing systems (S, C) independently; extracting a second string of characters (N3), a subset of the first string (N30), by means of a second pre-established algorithm (ALGN3), as a function of the hidden dynamic variable (n; p) and of said random number (RND); and generating the temporary password (PWD) by means of a third pre-established algorithm (ALGPWD), on the basis of the above-mentioned second string of characters (N3). The authorised party is identified as a result of the comparison between the password (PWD) calculated by the processing system (S) of the provider party and that calculated by the processing system (C) of the user party, whereby access to the service is permitted if this comparison gives a positive result and otherwise is denied. The password thus obtained may also be used as a single-use key in a system for encrypting all the information exchanged between the authorised user party and the service provider party.

The present invention relates in general to the sector of computersecurity, and more specifically a method and a system for theidentification of a party authorised to have the benefit of a servicevia a communications network.

The present invention is applicable to systems administering access toprotected sites and/or managing commercial transactions, and in generalfor services which involve the communication of confidential data, inwhich a party having the benefit of goods/services, or client (user),communicates with a party delivering goods/services, or provider, and/orhas the benefit of such goods/services, via a public communicationsnetwork or other network, whether protected or unprotected fromintrusions by third parties.

The present invention is also applicable in systems to control theaccess of a party to locations or areas, for example those restricted toauthorised personnel.

In this connection it should be noted that the term “party” as used inthe present invention and in the claims which follow is intended torefer in general and without distinction both to a user who operatesactively on the network via universal interface devices by means ofwhich he manually performs an identification procedure, and to a userfor whom the identification procedure is conducted automatically by apre-configured personal processing terminal.

STATE OF THE ART

The invention falls within the context of problems relating to thetransfer of confidential information on a communications network (suchas the Internet for example, but also a local network) and to securityin accessing protected sites, or more generally services of variouskinds, for which certain recognition of the user and the impossibilityof access by unauthorised persons represent necessary and fundamentalconditions for delivery of the service offered.

Examples which readily come to mind include on-line banks, sites ofcompanies which issue temporary credit card numbers, company orinstitutional mail servers containing extremely confidential andstrategic information, sites which offer e-commerce services, and allthe possible services to obtain which it is necessary to exchangepersonal, confidential and private information of potential interest foruse by unauthorised third parties for unlawful purposes.

In general it may be said that the invention is of particular importanceprimarily in the e-business and e-commerce sectors, but it can alsoeasily be extended for use in the sector of conventional bankingoperations and telecommunications, including the management of physicalaccess to restricted or in any case controlled locations.

A typical connection procedure on a network between a user and a serviceprovider in which confidential information is exchanged generallyconsists of four steps:

keying in on a computer keyboard (or any other user interface devicewhich allows data to be input) the information necessary to identify theparty, such as for example the User Name and Password and/or a PIN; inthis case the security that this information is kept secret can beguaranteed only by the user (or someone for the user) by checking hiscomputer using antivirus software, port and process scanners or similarprovisions;

processing such information by the computer or an equivalent processingunit, in order to render it unintelligible to anyone not possessing thenecessary lawful instruments (for example Security Certificates) to readthem; in this case the secrecy of the data depends on the quality of thesecurity procedures imposed by the service provider's server on theuser's computer;

transferring the information processed by the user to the provider'sserver, on the communications network (for example the Internet or anLAN (Local Area Network), or a cellular communications network); in thiscase the security of the data depends on the type of connection used andwhere appropriate on the managers of the network access service, and inthe case of the Internet (on which the number of potential points formonitoring the information flow is enormous), controlling the securityof insufficiently protected data is poor;

re-processing of this information in the provider's server, in order todecipher the information received, previously processed and encrypted;in this step, the security of the data received depends only on theserver, its administrators and the type of management used.

It must be stressed that, in principle, information of any kind which istransferred via the Internet can be intercepted by third parties and,even if with some difficulty, can where appropriate be deciphered.

To date, the most confidential information is transmitted and receivedin encrypted form. This is because encryption is judged to be the mostreliable system in this type of communication.

The most widely used encryption system is RSA, also known as a two-keysystem: a public key and a private one. In practice, the recipient of amessage or piece of information makes the key public to carry outencryption of the message, giving it to the sender of the message andanyone who requests it. However, this key is not sufficient to decodethe message received. To do this, a second key is required, a privateone, which the recipient keeps hidden for himself alone.

In this system, the preceding four steps may be summarised as follows:

information keyed in by the user (sender);

encryption by means of suitable software installed on the sender'scomputer;

encrypted data sent to the recipient's server;

data received and decoded by the recipient's server.

In reality, the operation of unlawful decoding is not impossible, butrequires a very long time to carry out. In general, it is sufficient forthe decoding time to be longer than the period of validity of theprotected information.

What has been said suggests that:

a) even if the encrypted information cannot be decoded in a sufficientlyshort time, this does not prevent the possibility of gathering andcataloguing a sufficient number of pieces of information (for exampleencrypted Passwords) over a period of time, and being able on the basisof this to work back to the algorithm which produced this information;

b) no cryptographic code is unbreakable; this is due to the everincreasing speed of computers and the possibility of bringing to bear onthe same objective the results of calculations produced by a potentiallyvery large number of computers connected to each other in a network (forexample by means of the Internet).

Apart from this, there are at least three further problems which limitsecurity when transferring even encrypted data over the Internet.

1) It is possible to find a way in between two parties or computerswhich are exchanging information using the two-key system: an intrudersends the message sender his public key, making him believe that it isthe recipient's; the sender sends the message encrypted with this key,and the message is then decoded by the intruder by means of his privatekey. The same intruder then proceeds to send the recipient the sender'smessage encoded with the recipient's public key. In this way, the senderand the recipient are under the illusion that they are communicating ina protected manner, but in reality everything takes place under thecontrol of the intruder.

2) There are some forms of computer virus in circulation, generallytransmitted by means of electronic mail, which lie in wait in the memoryof the sender's computer and are activated only when the operatingsystem carries out the standard procedure of entering a User Name and aPassword. When this happens, the virus programme reads and recordsdirectly what is typed on the keyboard, before this information reachesthe stage of encryption to be dispatched. Once recorded, thisinformation may subsequently be dispatched, still via the Internet, to aspecified address. The speed of spread of these types of virus, and thedifficulty of removing them because of their specific characteristics,makes this problem quite difficult to solve.

3) A further possibility is that an intruder may manage to insert in thecomputer being spied upon programmes capable of reading and recordingall the characters typed on the keyboard of that computer, and thereforeincluding any passwords, and to dispatch them to wherever required. Asin the previous case, this would all take place prior to any encryptionstage, which would therefore not provide any real protection.

From what has been said it will therefore be understood that encryptionalone, however much it may complicate the process of unlawfulappropriation of personal information by unauthorised third parties(described generically as hacking), may sometimes be inadequate toprotect such information, and also requires continuous updating andincreases in complexity because of the continuing growth in thecomputing power of computers and also in the quality and effectivenessof techniques of eavesdropping to obtain sensitive information.

In support of this it is in fact said that there are some techniquesalready in use to reduce the risk of hacking (attempting at the sametime not to make the operations to be carried out by the user toocomplicated).

U.S. Pat. No. 4,720,860 describes a method and a system for generatingvariable codes, non-predictable, for the purpose of identifying a partyauthorised to carry out monetary transactions or access a protectedsystem. Secure identification of the party is based on a comparison of apair of non-predictable access codes generated as a function of a staticvariable and of a dynamic variable defined by the moment in time atwhich the static variable is input into the system by the user.

A method and a system for recognition of a party by means ofnon-predictable codes is also described in U.S. Pat. No. 4,998,279, inwhich a high degree of security is achieved by combining the system inU.S. Pat. No. 4,720,860 for generating non-predictable codes, variablein time, with the communication at the same time of a biocharacteristicof the user, for example the sound of the user's voice.

U.S. Pat. No. 5,367,572 describes a method and a system of recognitionfor identifying a party on the basis of a PIN, in which the PIN istransmitted in combination with an non-predictable time-dependent code.At a recognition centre, the PIN and the non-predictable code areretrieved on the basis of a non-secret code transmitted previously.

U.S. Pat. No. 6,130,621 relates to a method and a system for preventingunauthorised access to or use of a protected device, in which anon-predictable dynamic code is used, generated by the user for exampleon the basis of a card or other similar identifier (“token”) in hispossession.

Some examples adopted in current practice are:

Access to the Sites of some On-Line Banks, such as NatWest(http://www.natwest.com)

In this specific case, the Personal Identification Number (PIN) and theaccess password are not required in their entirety, only a part of thembeing sent over the network (some numbers or letters of which they arecomposed) following the instructions given by the connecting software(requests such as: “send the second, first and fourth numbers of thePIN”, “send the eighth, third and thirteenth letter of the password” andso on). The instructions change for each new connection.

In this case, the purpose is to avoid transferring all the informationover the network in a complete manner, by asking for only a part of itto be sent, in an attempt to make complete reconstruction of theinformation by unauthorised third parties more difficult, on theassumption that the latter might be capable of reading or in any caseinterpreting the information and the requests which the sender (theUser) and the recipient (the Bank) are exchanging.

Despite this, however, it is easy to understand that the furtherobstacle set up by the bank, again with respect to encryption alone, maybe circumvented by unauthorised third parties simply by collecting anumber, not even a large number, of partial pieces of information on thesender and the recipient's requests with which to reconstruct thecomplete initial information, which in any case always remains the same.

In practice, after a certain number of connections, the completeinformation will be transferred over the network and can therefore beknown.

The SECURE ID System Produced by RSA Security(http://www.rsasecurity.com)

This is a system based on an electronic device which generates numbersby means of an algorithm which depends on a static variable and adynamic variable.

A static variable may for example be a “once only” number to be enteredto initialise the algorithm, while the dynamic variable is the time.

In practice, with such a system, the user wishing to be connected to itssite containing confidential information must enter his own User Name, apassword if any (both these pieces of information are fixed), and inaddition a number (which we may call TDN) supplied to him by theelectronic device on a display and which changes every minute.

The server which the user is accessing, once the user is identified bymeans of his User Name (and password if any), calculates the TDN usingthe same algorithm (known to the server) present in the user'selectronic device, using the same static variable previously exchangedwith the user to initialise the algorithm, and using a clocksynchronised with that of the user to determine the time variable. Ifthe user's TDN and that of the server coincide, access to the server ispermitted.

The fundamental purpose of the system is to prevent access to a serverdepending only on predetermined and fixed information (even thoughencrypted), which, as has been said in points a) and b) set out aboveand by means of any one of the methods described, for example in points1), 2) and 3), can be picked up or in general known by unauthorisedthird parties.

For this reason, a piece of information varying with time is added,known only to the holder of the electronic device and the server.

This precaution does not however appear very effective in principle.This is because, if it is assumed that any information travellingthrough the network can be seen by third parties, the TDN numbersgenerated by the electronic device can also be seen. In this case, theTDNs could be catalogued a piece at a time as they are picked up on thenetwork and correlated with the time variable, thus making it possibleto obtain all the necessary information to be able in principle to workback to the algorithm and the static variable which generated theseTDNs, and therefore to be able to predict the following ones.

The system in question, therefore, only increases the complexity of thehacking process, without solving the problem in principle. This is dueto the fact that on the network all the information is transferred in acomplete form, even though encrypted. In this case too, in practice, itis still only the encryption which guarantees the security ofinformation transfer over the network.

MONETA On-Line Service (http://www.monetaonline.it), Offered by theIntesa BCI Banking Group

This is a service by means of which it is possible to obtain temporaryvirtual credit card numbers corresponding to a specific amount. In thisway, the credit card number which is transferred over the network cannotbe used by unauthorised third parties who might come into possession ofit by unlawful means, first of all because it corresponds to an amountwhich is quite specific and relates only to the purchase which it isintended to make at that time, and then because its duration in time isextremely limited (in general 24 hours).

The person entitled to the MONETAonline service, after selecting theitem or service to be purchased on-line, accesses the sitewww.monetaonline.it to ask for the number of the VISA virtual creditcard to be entered on the order form awaiting completion.

In summary, the steps to be followed to make a payment are thefollowing:

select the item or service from an on-line business having anarrangement with VISA or MONETA, proceeding as far as the order formwhere the user is requested to enter the number of the credit card andthe relevant expiry date;

access the site www.monetaonline.it;

select the function “Request Virtual Card for payment”;

enter the user code and the password, select the type of Virtual CreditCard required and where appropriate complete the optional maximum amountbox;

when the number of the card and the expiry date have been obtained fromthe service manager, return to the order form, select the payment byVISA or MONETA card option;

enter the number of the card and the expiry date;

confirm the order and await the on-line reply from the sales operator.

Although the virtual credit card system does in fact represent anexcellent deterrent against the theft and associated use of “real”credit card numbers (to distinguish them from the “virtual” numbersmentioned), because it is impossible to re-use them once the authorisedholder of the virtual credit card number has completed his ownoperation, the service still proves to be imperfect and ineffectivebecause of the fact that to access the site on the Internet it isnecessary to enter a user identification code and a password, and thisinformation, as stated, still presents security problems as pointed outin points a), b) and 1), 2) and 3) above.

Therefore, the use of the virtual credit card service is still subjectto the cited disadvantages when transferring confidential informationover the network.

All the services described above, as well as other similar ones (see forexample the secure on-line payment service for commercial transactionson the network provided by the company Orbiscom,http://www.orbiscom.com), demonstrate among other things that in realityconfidence in the effectiveness of encryption and in general in networksecurity is rather low. This is due basically to an awareness of thefact that encryption systems are intrinsically vulnerable to beingattacked and broken (even though with serious difficulties) and thisrepresents one of the limiting factors in the development of e-commerce,e-business and in general all virtual payment systems or systems fortransferring personal or confidential information.

SUMMARY OF THE INVENTION

The present invention has therefore the intended purpose of supplying asatisfactory solution to the problems set out above, avoiding thedisadvantages of the prior art. In particular, the invention has the aimof guaranteeing absolute and intrinsic security of the informationgiving access to protected and confidential sites, and more generally toprovide identification of the user party who needs to be recognisedbefore being able to access services for which security andconfidentiality represent essential conditions for provision of theservice (for example, e-commerce sites, on-line banks, payment systems,electronic mail servers etc.), or to restricted or at any ratecontrolled areas.

A further purpose of the invention is also to guarantee the security,absolute and intrinsic, of all the information exchanged between theuser and the servers of protected and confidential sites (for examplee-mail texts, credit card numbers, information on bank accounts etc.).

According to the present invention, this purpose is achieved by means ofa method for the identification of an authorised party, having thecharacteristics cited in claim 1.

A further subject of the invention is a system for the identification ofan authorised party, having the characteristics claimed in claim 22.

In summary, the present invention is based on the principle ofidentifying an authorised party on the basis of an item of informationof the fixed type (which may be the User Name), and on “one-time”passwords, that is passwords which can be used once only for a singleconnection, intrinsically non-predictable since they are based on randomnumbers and on transferring only part of the data necessary foridentification onto the network.

These “one-time” passwords may also be used as “one-time” encryptionkeys in an encryption system with one, two or more keys, at eachconnection always guaranteeing a different encryption of the informationexchanged.

Advantageously, the password—or encryption key—is generated on the basisof a dynamic variable which is a function of the number of connections nbetween the customer/user and the provider which have previously takenplace, and this variable may also be changed by the user, and thereforein that sense is not predictable.

Appropriately, the system may be initialised by means of an initialisingprocedure which not only enables synchronisation of the connections(respective knowledge of the number of connections which have takenplace) to be recovered in case of problems during a connection (andtherefore as such is an “emergency procedure”), but also enables thevalue of the dynamic variable relating to the number of accesses to bevaried in a discontinuous and non-predictable manner, frustrating anyunauthorised third-party who might be following the history of theconnections of a specific user (and therefore, in this sense, is also a“preventive procedure”).

Moreover, in the procedure an algorithm is used for extracting a limitedpart of more extensive and complete information, and this characteristicguarantees the non-reversibility of the entire identification procedure,and therefore its intrinsic non-predictability even on the basis ofstatistical methods, because part of the information to be provideddisappears in one step of the procedure.

The method of connection and identification (or “communicationalgorithm”) in question is not considered as an alternative toencryption, but may supplement it and can easily be inserted incurrently used connecting systems, as a further and definitiveprotection during access, which is found to be the most susceptiblestage.

The communication algorithm, if used to generate “one-time” encryptionkeys, contributes to improvement of current encryption systems whichthus become “one-time” encryption systems.

With the method and system disclosed by the invention, the informationtransferred through the network, should it be intercepted anddeciphered, would not in any case be of any use to anyone wishing toattempt to gain illegal access to the site to which the connection ismade. In principle, in fact, this information could be transferreddirectly “in clear” without anyway running any risk deriving frompossible interception. In other words, the method and the systemaccording to the invention guarantee an absolute level of security inaccess to web sites which provide for the entry of a password, as willbe understood below.

Implementation of the invention is based on standard technology and nomodifications are required either to the hardware or to the Internetnavigating software, that is there is no need to change any of thestandards used hitherto for this type of communication. In practice, itis necessary to have a microprocessor card or Smart Card and anassociated portable read/write device (or an equivalent electronicdevice), and also suitable software installed on the server of the siteto which the connection is being made. An additional possibility is tointegrate the read/write device of the card with a palm-top computer orwith a cellular telephone, possibly as an external accessory to theselatter units. Further developments are offered by integratingtechnologies for biometric identification of the user (holder) in theread/write device of the card.

BRIEF DESCRIPTION OF THE DRAWINGS

Other characteristics and advantages of the invention will be set out inmore detail in the following detailed description of an embodiment ofthe invention, given by way of non-limiting example, with reference tothe appended drawings, in which:

FIG. 1 is a block diagram of the method of identification according tothe invention; and

FIG. 2 is a block diagram of an initialising stage of the method in FIG.1.

DETAILED DESCRIPTION OF THE INVENTION

A generic telematics network architecture (LAN, MAN, WAN, up to theInternet world wide web) configured for access by a user to a serviceprovided on the network makes provision for both the provider party andthe user party to be each provided with respective electronicdata/information communications and processing systems.

In particular, at the service provider there is located a processingsystem such as a server capable of managing a procedure foridentification of a party authorised to operate with the provider and todefine an encryption system, if any, to be used in the communication,and also to deliver the serviced requested once recognition has takenplace. The user accesses the network via an interface device comprisinga processing terminal or similar device designed to allow identificationof the authorised party in order to obtain clearance to operate.

Description of the User Terminal

According to a preferred embodiment, the user's processing terminalbasically comprises an electronic card reading device, such as forexample a microprocessor card or Smart Card, and a processing unitcapable of executing the programmes stored on the card.

Preferably, it is provided with a non-volatile memory in which theservice provider (who at the same time has supplied the client with theidentification device) has written an identification number (DEVID) anda string (STRID) which identify the device and therefore the holder towhom it belongs, and whose relevance will become clear further on.

The terminal is equipped with at least one alphanumeric display forpresentation of the single-use passwords generated as and when there isa request to use a service on the network, and also with a selection,setting and control keypad including, for example, push-buttons markedwith the numbers 0-9 for inputting the data requested in theidentification procedure, and an additional push-button for starting aprocedure to initialise the system.

The terminal may also be provided with a communications port (withinfra-red or radio wave operation, for example, but also of the USB,serial or optical type etc.) to allow direct connection whereappropriate to a Personal Computer (PC) to automate the procedure foraccessing the network without manual intervention by the holder.

A similar device, without a keypad or display, but simply capable ofexecuting programmes with the algorithms present on the card andprovided with a DEVID and a STRID could also be inserted directly into acomputer in the form of a PCMCIA card or similar, for example.

Preferably, the external Smart Card which can be inserted into thereading device of the user terminal comprises rewritable non-volatilememory modules containing information on a PIN access code (PINSC)necessary to read the card, which must be known only by its holder, andalso all the algorithms necessary for execution of the programmes by thedevice, the number of accesses or access attempts which have previouslytaken place, an initialising table and any variables necessary forconnection. The functions assigned to the number of accesses and theinitialising table will become clear to the reader from the remainder ofthe description and in particular from the complete description of thesteps in the identification method.

As an alternative to using a PIN access code, the portable device and/orSmart Card may be activated by means of biometric identification of theholder, for example by recognition of his fingerprint. In this case, theportable device is conveniently equipped with a biometric data reader,such as a scanner for acquisition and recognition of fingerprints.Preferably, the biometric data relating to the authorised user arestored only in the reading device or on the Smart Card and are nottransmitted in any way over the network, avoiding any problems connectedwith possible privacy violations.

The use of biometric identification technologies ensures that the“one-time” passwords are generated exclusively by an authorised user,who is therefore identified unambiguously in the recognition process.

In practice, a card must be matched to the reading device intended toreceive it, and therefore to its holder. The matching is convenientlycarried out by the provider, or by service companies authorised by itfor the operation.

The card stores the same user identification STRID present on thereading device. In this way, the reading device can check whether thecard inserted is authorised for that particular reading device (andtherefore holder) preventing the use of it by unauthorised thirdparties.

One or more algorithms stored on the card relate to the static variableDEVID present only in the reading device enabled to read that specificcard. In this way a further guarantee of security is obtained, due tothe fact that the strings generated by the above-mentioned algorithmswill correspond only and exclusively to those which can be obtained fromthe unique reading device authorised to read them.

The choice of non-volatile memories (which are not deleted if the cardis removed from the reading device and therefore no longer supplied withpower) is necessary to allow the use of different cards, relating tovarious services offered by one or more providers, on the same device.Alternatively, everything described above may be incorporated within theprocessing terminal, without any need for removable cards.

Description of the Method of Identification

In the block diagrams in the drawings, the left column shows the stateand the operations carried out by the server S which manages access to apredetermined service (for example an on-line bank). The columnindicates the intermediate data known and/or calculated by the serverfor determining the single-use access password independently of theuser, and for the comparison with the password made known by the user.

The right column shows the state of the user terminal C and theoperations conducted by the party intending to access a service on thenetwork, either in the form of operations carried out directly by theuser via universal or personal interface devices, following theindications provided by the pre-configured processing terminal, or inthe form of operations conducted automatically by the above-mentionedterminal incorporated in the interface device. The column indicates theintermediate data known and/or calculated for determining the single-useaccess password independently of the provider.

The horizontal arrows show the direction of communication (requests forand sending of information), while the vertical arrows show changes ofstate as a result of calculating processes.

The procedure for identifying the user for access to the provider'sprotected server via a communications interface capable of carrying outsimple calculating operations may therefore be described as follows(with reference to FIG. 1).

Before connection, both the provider's server S and the user terminal Cretain in their memory the number n of connections made and concludedbetween the two parties up to that moment. This condition is shown inthe drawing by the dynamic variable n in the box which shows the changeof state and execution of the operations in the respective systems.

When a request for connection is made by the user, the provider's serversends its request RQS to input a PIN identification string for thepurpose of selecting the access data relating to the user correspondingto that PIN string. These data (for example a serial number of theterminal and an Initial User Code pre-selected by the user whenactivating the service) are personalised for the user and constitutestatic variables on the basis of which the algorithms for finalcalculating of the “one-time” password (PWD) are personalised.

The user sends his own PIN in reply.

Using the CHKPIN procedure, the server S checks the existence of theidentification PIN received, and if the result is affirmative initiatesthe access procedure.

As a first step, by means of a pre-determined algorithm for generating arandom number ALGRND, the server generates the number RND. Thus, at thisstage in the connection, the items of information contained in thememory of the server are: n and RND.

Once the number RND is generated, the server sends it to the user viathe interface device (for example the screen of a personal computer bymeans of which the network is accessed or the display of the processingterminal) or, where appropriate, directly to his processing terminal, asin the case where the whole access procedure is automated by means of adirect connection, of whatever type, between the device and the personalcomputer used for the connection. In this way, the terminal C alsocontains the same information as the server (that is n and RND).

From this moment onwards, both at the server and at the user terminal,the same procedure may be started to generate the single-use passwordPWD.

This procedure begins with the generation of a string N30 by means of apredetermined string-generating algorithm ALGN30 which has as input datathe value of the dynamic variables n, RND and the values of the staticvariables such as the serial number of the terminal and the Initial UserCode selected when the service is activated. The string N30 is composedof a large number of characters (for example thirty, but the number ofcharacters is non-limiting and may be chosen as large as desired and ifrequired may also be dependent upon n).

The number of accesses n, notwithstanding its dynamic nature, alsorepresents a variable personalised to the user, since it depends on thehistory of the connections made by the user, recorded both on the userterminal and on the server. The variable n is not sent onto the network,and therefore cannot be detected by unauthorised third parties, so thatit may be considered a hidden dynamic variable. Preferably itconsecutively increases its own value by one unit, but may varyaccording to other rules and may also be changed by the user in a randommanner—as will be explained later—therefore becoming entirelynon-predictable, so as to prevent the possibility of working back to itby any hacking operation conducted over time. Moreover, given that itmust be updated at each connection both on the user terminal and on theserver, it represents an intrinsic method of controlling authorisedaccess to the server. Therefore n is a dynamic variable, invisible,non-predictable and controllable by the user, and differs greatly (andfor the better) from the time variable used in known access systems (forexample the SECURE ID system discussed previously and the systemsdescribed in the prior art patents cited).

The probability of predicting the string N30, in the absence of thelawful instruments for generating it, is practically nil, both becauseit is generated on the basis of random numbers and an unknown dynamicvariable (the 2 above-mentioned variables are both non-predictable) andbecause N30 is never sent onto the network, and it is therefore notpossible for it to be known, far less predicted.

Once N30 is generated, both in the server and in the user terminal thestring N3 is generated by means of a predetermined extraction algorithmALGN3. The algorithm has as inputs n, RND and N30, and as output stringN3 which has a smaller number of characters, preferably less than half,than the number of characters in the string N30. N3 is a string whichhas the particular feature of being composed of a subset of charactersof N30, and more specifically of characters extracted from thosebelonging to the string N30 in positions dependent upon n and RND.

For example, if N30 is the string:

-   -   3h5y987sfg82JsK15wQ421fxjLpUMp        by means of the algorithm ALGN3, and as a function of the        current n and RND, the characters    -   .h..9..sf.8.J...5.Q4..fx.L...p        are selected so that the string N3 extracted from N30 is:    -   h9sf8J5Q4fxLp.

In the example, the characters which make up N3 have been extractedkeeping the consecutive order in which they are positioned in N30, butthis condition may also be changed and the characters may be extractedin such a way as not to comply with the order in which they appear inN30. In fact, this order may itself also be a function of n and maytherefore vary at each different access.

The extraction of N3 from N30 represents a fundamental aspect of theinvention. This is because the operation, and the consequent loss of theinformation relating to N30 (it should be remembered that N30 is notsent onto the network, has a length which is not known beforehand and itis not possible to predict which characters are selected to extract N3),guarantees the non-reversibility of the whole process of generating thepassword PWD. In practice, even if it were possible for unauthorisedthird parties to read and record a sufficiently large number ofpasswords PWD which are sent onto the network (even “in clear”), anddiscover both the number n of connections made and the number RND, it isintrinsically impossible (and not simply improbable) to reconstruct inreverse the process of generating any password whatever and therefore tobe able to predict a subsequent one.

What has been stated—this will be shown further on—is validindependently of the type of technique which may be used to reconstructthe process of generating passwords and of the computing poweravailable. Even if it were conceivable to work backwards, from the knownpasswords PWD, to N3, it would not be possible to reconstruct N30 fromN3 because a greater quantity of information than could be obtained inprinciple from N3 would be missing. This guarantees the totalnon-predictability of a password, even in conditions most favourable toany unauthorised third parties (for example, if all the static anddynamic variables and all the passwords PWD sent onto the network wereknown).

Once string N3 has been obtained, both the server and the user terminalcalculate the actual password PWD by means of a predetermined algorithmfor generating single-use passwords ALGPWD, on the basis of the inputdata n and N3.

Immediately after the generation of the password, the user terminal Cupdates the variable n by means of the procedure CONT, while thisoperation at the server S is carried out in a subsequent step. Thus,after the generation of PWD both at the server and at the user terminal,for the server the number of accesses made is still n, while for theuser terminal it is n+1. Both the provider and the user neverthelesshave the same information on the single-use password generated for the(n+1)th connection.

At this point, the server sends a request PWDRQ to the user to input thepassword PWD. The word PWD is input and sent by the user by means of theselection keypad (or equivalent system) of the processing terminal or bythe terminal itself automatically. The provider's server checks thecorrectness of the password input by comparing, using the procedureCHKPWD, the variable PWD received with the internally obtained value.

If the password check gives a positive result, the server authorisesaccess but otherwise denies it and where appropriate passes to aninitialising procedure JOLLY (described below) which makes it possibleto re-synchronise the dynamic variable relating to the number ofaccesses made.

There is a further case in which, for some reason, the user does notinput any password, for example if he goes away from the terminaltemporarily. In this case, n can be left unchanged by arranging acounter/timer on the server which cancels the operation if the passwordis not communicated within a certain time interval. In this way the userhas only to repeat the normal connecting procedure, without having tomake use of the JOLLY procedure.

Once access is authorised, the server updates the variable n by means ofthe procedure CONT to the value n+1, returning the system to the initialconditions waiting for a subsequent request for access and a subsequentidentification procedure.

The JOLLY Initialising Procedure

If irregularities occur during the connection (for example input of anincorrect password by the user, interruption of the connection before itis completed, or other) or if, in general, for any reason, the variablen indicating the number of accesses which have taken place has a valuestored in the user's processing terminal different from that stored inthe provider's server, or again if it is desired to restore(re-initialise) the connection procedure (and therefore the variable n)for the purpose of preventing the traceability of the connections byunauthorised third parties, it is possible to use the JOLLY procedure.

In what follows, with reference to FIG. 2, by way of example, the JOLLYprocedure is described in the case where an incorrect password PWD isinput.

As shown in the previous paragraph, after the provider's server S andthe user terminal C have independently obtained the password PWDaccording to the procedure disclosed by the invention, the server sendsa request PWDRQ to the user to input the password PWD. An incorrectpassword PWD′ is input and sent by the user by means of the selectionkeypad (or equivalent system) of the processing terminal or by theterminal itself automatically. The provider's server checks thecorrectness of the password input by using the procedure CHKPWD tocompare the variable PWD′ received with the value PWD obtainedinternally, and the check gives a negative outcome.

At that moment, the state of the user terminal is such that the numberof accesses stored and updated is n+1, while the state of the server issuch that the number of accesses stored is still n.

The provider's server sends the user a request JLYRQ to input a jollystring JLY_(p) relating to the (n+1)th connection, where p is thesmallest integer greater than n+1.

A plurality of jolly strings is stored in an initialising table, in anon-volatile memory module of the card which can be inserted into thereading device of the user terminal. The initialising table isconfigured as a two-column table and is arranged and stored by theprogrammer of the card when it is created. An identical table is alsostored in a memory unit on the provider's server, and relates only to anindividual user. Every user will thus have his own initialising table,different from that of other users.

Of the two columns which make up the table, the first contains randomstrings JLY_(k) (k=1, . . . m, where m represents the total number ofstrings making up the table, pre-established at the programming stageaccording to the degree of complexity which it is desired to assign tothe system and the available memory), which are precisely the jollystrings to be input on request, while the second contains integernumbers p, not consecutive, arranged in ascending order. Each element ofthe column of jolly strings has one-to-one correspondence to one numberonly p, as shown in the following example. jolly string JLY number p3Fv38qlp13 11 B48sxnu3g 27 xmi30dq2 39 11sf8n3lCs 55 Mp249em67 69 . . .. . .

The software controlling the user terminal C selects the first jollystring JLY_(p) corresponding to the minimum value of p>n+1 as the jollystring to be transmitted over the network to the provider's server. Atthe same time, the terminal replaces in its memory the value of thedynamic variable, from n+1—indicating the number of accesses which haveoccurred—to the number p corresponding to the string transmitted.

The server, once the jolly string JLY_(p) is obtained, compares it withthe strings JLY_(k) (k=1, . . . m) present in its initialising tablerelating to the user connected (procedure CHKJLY to check the existenceand the validity of a jolly string) and replaces the number of accessesn, updated at that moment, with the number p corresponding to the jollystring received.

This operation guarantees that at any time the server and the userterminal can be synchronised as far as the dynamic initialising variableor “number of accesses” is concerned.

To better describe what has been stated, the following example isproposed.

Be it assumed that after 30 consecutive accesses by a terminal to theserver, some irregularity occurs (for example an incorrect password PWDis input for some reason). In this case, the server will request a jollystring to re-initialise.

The user terminal selects the first jolly string corresponding to avalue p>n+1. In the table given above, this jolly string is the string“xmi30dq2” corresponding to p=39. Once the jolly string is selected, theuser terminal updates its own number of accesses to the value 39.

The server, once the string “xmi30dq2” is received and this string isrecognised as a valid string, is re-initialised and prepared to considerthe connection in progress as the 39th connection for the userconsidered.

When re-initialising has taken place, the server generates a randomnumber RND by means of the algorithm ALGRND. Then, at this stage in theidentification procedure, the information contained in the server memoryis the updated number of accesses p and the random number RND.

The server then sends the user the random number RND generated, via theinterface device or where appropriate directly to its processingterminal, as in the case in which the whole access procedure isautomated. In this way, the user terminal too contains the sameinformation as the server (that is p and RND), thereby the initialconditions for the connection have been restored.

From this time onwards, the procedure for generating the single-usepassword PWD described above can be started either at the server or atthe user terminal.

Variants of the Embodiment Described

As far as the logic of the identification procedure described previouslyis concerned, possible variants relate to:

the possibility of using the password PWD generated by means of theprocedure described as a key for the encryption algorithm (with one, twoor more public and private keys), which makes it possible to encrypt anyinformation of any kind (for example texts, sounds, images, includingfingerprints, iris images and biocharacteristic information) exchangedbetween the user and the service provider, in a different manner at eachconnection between these parties;

the quantity and type of static and dynamic variables which allow thepassword PWD to be generated, and which are similar to those used in thepreferred form of embodiment (for example for the purposes referred to arandom number RND is similar to a random string, the number ofconnections concluded is similar to the number of connectionssuccessfully initiated, and so on);

the increment rule for the dynamic variables, in particular of thevariable n, for which such increment may occur in a non-consecutive andvariable manner at each new connection, in whole steps or not, in alinear manner or not, as a function of other variables;

the fact that the password PWD is dependent, in an unambiguous anddifferent manner for each user, on the entire history of the connectionsbetween the user and server, for example due to the effect of theincrement of the variable n not only as a function of the number ofpreceding connections successfully established, but also of the randomnumber RND exchanged in the connection in progress (the history of theconnections made by a user is therefore recorded on the server whichstores the dynamic variables n, the numbers RND exchanged and thepasswords PWD entered);

the algorithms used in the individual steps described, which may be ofany type provided that they perform the task indicated (whereappropriate, the algorithms may be personalised to the user, for exampleby means of an initialising procedure with one or more fixed variables,unique to each user);

the order in which some of the steps described can be carried out, whileobtaining the same result;

the formats and lengths of the numbers and strings used in theidentification procedure and in the JOLLY initialising procedure, whichmay be different from those considered;

the format and size of the initialising table, which may be of any type.

It is also pointed out that a procedure which would also beintrinsically secure could be that of using only and exclusively theinitialising procedure to start the identification procedure, theninputting, after the PIN identification string, a jolly string so as toselect the variable p associated with it.

This procedure does have disadvantages, however, such as for example thefact that the size of the initialising table (number m of jolly strings)is limited and therefore the table would be regenerated with a certainfrequency, checking each time that there are not identical numbers fordifferent users. This would involve having to send the card or theprocessing terminal of the user to the service manager, with substantialloss of time and money and increased complexity of the system and itsmanagement, all more so if the number of users is large.

An access procedure based only on initialising by means of the jollystrings does however represent a sub-case of the complete accessprocedure described.

As far as the user processing terminal is concerned, variants may relateto:

the method of inserting and presenting the information relating to theconnection (RND, PWD, . . . ), which may be done manually by means ofthe keypad and display of the terminal, or still manually by means ofthe keyboard and monitor of a personal computer or similar interfacedevice, or by voice using voice recognition and audio messages, or againautomatically via a connection of any type (by means of a serial port,USB, infra-red, using radio waves or again by optical means) to apersonal computer and software resident in the computer to which thedevice is connected, or again by means of the keyboard and display of apalm-top computer or a fixed or mobile telephone, and so on;

the circuitry arrangement of the reading device, with its volatile andnon-volatile memories and its internal processor, which must beconfigured so that at minimum it performs its task;

the type of card used, which may be of any kind, provided that theminimum structure described is present, which is needed for performingthe operations described;

the static and dynamic variables present in the memories of the readingdevice and the card, which may be of any type, length or nature,provided that they are similar to those mentioned previously and performthe same task;

the location of the logic units (processor, memories etc.) and of thedata/information necessary for generating the password and for theconnection (that is the algorithms, the static and dynamic variablesetc.) which have been divided between the reading device and the card asdescribed, but which could also be divided differently (for example,each card could be completely autonomous both as regards the variablesand the algorithms, and as regards the management of these andcalculation of the password, leaving to the reading device only the taskof inputting/displaying data and/or information and supplying power tothe card);

the type of reading device, which could be as described previously (thatis which can be used manually and automatically by means of a personalcomputer) or of the PCMCIA card type, or which can be incorporated in(or adapted to) a palm-top computer or a cellular or fixed telephone, oragain may have a biometric data reader such as for example, a scannerfor reading fingerprints;

the possibility of being able to insert multiple cards into the readingdevice at the same time, selecting them by means of a selector deviceprovided inside the reader itself, so as to use the same reader forseveral services, without necessarily having to replace the smart cardin the reader when a different service is chosen.

AREAS OF APPLICATION OF THE INVENTION

The areas of application of the invention are in general all those inwhich there is a requirement for certain identification of a party, inparticular of a user by a service provider and/or encryption of theinformation exchanged between them. This means that both public sectors(organisations/authorities etc.) and private sectors may be involved,including the services which already use smart cards for recognition ofthe users and/or encryption algorithms (or security certificates) toensure the secrecy of the information exchanged.

Just some examples of possible applications are given below.

1) E-Banking

The user must have an account open with a bank which also provideson-line services.

When the account is opened, the bank may offer the service of secureconnection to its own on-line services and the assurance that nounauthorised outside party can read the information exchanged betweenthe user and the bank. To do this, in addition to having made technicalarrangements (that is having implemented on its own site the secureconnection system disclosed by the invention), the bank will take stepsto provide the user with the terminal having a reading device and/orpersonal smart cards programmed for the user. In this way, the user willbe able to connect to the bank's on-line services in the secure mannerdescribed, and carry out all desired operations.

If the bank is prepared for the service, the user may also requesttemporary virtual credit card numbers (as described in point III above),the amount of which will be charged to the account which he holds withthat bank. Such temporary credit cards may also then be used in a securemanner for purchases on e-commerce sites.

2) E-Commerce

The user has at least two types of access and payment for goodspurchased on the Internet.

The first highly versatile one consists in sending the manager of anye-commerce service existing in the world (and which accepts credit cardsfor payment), the numbers of (temporary) virtual credit cards asdescribed in point III above. In this case, security would be guaranteedby the on-line bank to which a secure connection is made to obtain thiscredit card number (see point III above and e-banking).

The second type of access and payment consists in the user registeringwith an approved e-commerce site which markets one or more categories ofproducts in which the user may be interested (for example a virtualsupermarket, a site which markets High-Tech products, virtual ComputerShops etc.). When registering, the user must, in addition to his ownpersonal data, also communicate (possibly using conventional procedures)the details for payment and invoicing (for example the number of his owncurrent account and the credit card number).

This system is already used in various situations and is totally securebecause it provides for the transfer of partial information throughdifferent channels to the manager, which will ensure that they aresecure. Against it is the fact that it provides for rather lengthy timesfor each registration, but in the case in question it has to be carriedout only once for each e-commerce site selected.

When registration has been carried out, the service or site managerprovides the user with the terminal having a reading device and/or thesmart card relating to the service offered.

In this way, the user will be able to connect to the service in questionwhenever he wishes without sending any information attractive to orusable by unauthorised third parties via the network.

Once certain recognition of the user by the service manager has takenplace, the user may purchase an item or service, and for payment to bemade, the manager will use the information previously sent to the userat the time of registration.

3) Cash Machines

Cash could be withdrawn from appropriately prepared cash machines (or ingeneral any ATMs) by means of exactly the same procedure used forconnecting to an on-line banking site.

The user keys in his PIN on the cash machine keypad which is connectedto the Bank, which in turn sends the number RND which appears on thecash machine display.

Manually or by means of any other system, the user then enters into hisown terminal the number RND received, obtains the password PWD from hisown terminal and keys it in on the keypad of the cash machine, whichchecks its validity with the Bank and in the affermative allows accessto the cash machine service and all functions available on the machine.

4) Payment to Approved Businesses

Once an item or a service is purchased from a shop, payment may be madein at least two different ways.

In a first method, the user must be in possession of the device and therelevant card, and the shop must be entitled to connect to the bank orits service company which issues virtual credit card numbers. In thiscase too the connection is made in a manner similar to that describedpreviously (see cash machines for example), with the only differencethat, once the connection is obtained, the bank (or someone on itsbehalf) sends details of the virtual credit card generated and relatingto the expenditure incurred by the user with the above-mentioned shop.

A second method provides instead for the use of a cellular telephone.Once the item to be purchased has been selected, the PIN is sent bymeans of a first message SMS to the number supplied by the referencebank. The bank's management system sends the sender's number an SMScontaining the number RND. The user types in this number on histerminal, obtains the password PWD, and then sends the bank a second SMScontaining this PWD and the amount of the purchase to be made. The bankthen sends back to the user an SMS containing the number and all thedetails of the virtual credit card created for him in relation to theamount required. This information on the virtual credit card can then becommunicated to the manager of the shop, allowing the due payment to bemade.

It is stressed that the system comprising a user terminal and a cellulartelephone may in any case also be used to obtain virtual credit cardnumbers for purchases using different methods (for example via theInternet, as already described).

Clearly, there is also the possibility that all what has been describedmay be carried out using only a telephone which has the capability ofmanaging a smart card in the same way as the reading device of the userterminal, simplifying the operation by using the keypad and the displayof the telephone itself.

5) Access to Protected Sites and e-mail Servers

In this case too, the connection procedure is exactly the same as thatdescribed in the previous points.

The user, possessing his terminal and the associated smart card, whenrequesting connection to the site or to the server, enters his PINnumber. The site (or server) sends the user the RND, which is enteredinto the user terminal to generate the password PWD. The user then typesin the password PWD and accesses the system.

Alternatively, the password may be entered and used as a key for anencryption algorithm. This algorithm provides for encryption of thepassword too, which may be sent thus encrypted to the server whichdecodes it and authorises (or denies) access accordingly. If access isauthorised, all other information exchanged between the user and serveris encrypted using the same algorithm, initialised by means of thepassword relating to this connection.

It is worth stressing that in this case too, as in all cases in which apersonal computer is used for the connection, the user's processingterminal may where appropriate be connected directly to the computer andmanaged by this by means of suitable software which is responsible fortransmitting the data between the terminal and the computer, with nomanual intervention by the user.

6) Mobile Banking

The recognition system described may also be extended to connecting tobanks by means of cellular telephones and communications networks whichuse a suitable communications protocol (of the WAP, GPRS or UMTS type).

The procedure of identifying the user party is still the same, but usesthe cellular telephone network and a commercially available cellulartelephone.

In practice, a connection is set up to the site (for example, the WAPsite) of the bank and the PIN is entered using the keypad of thecellular telephone. Then, once the number RND has been received from thebank's site, this number is entered into the terminal and the passwordPWD is obtained which will then be sent to the WAP site, still using thekeypad of the cellular telephone. Once access is obtained, the user cannavigate around the site to which connection has been made.

Of course, this procedure may be applied to all sites accessible via thecellular telephone network, for which it is essential to have certainknowledge of the identity of the user.

Moreover, the same procedure could be made easier if the cellulartelephone were arranged to read and manage smart cards of the typedescribed, in which case the user's processing terminal would beincorporated in the cellular telephone and to use it the keypad anddisplay of the telephone itself would be employed.

7) Controlling Access by Personnel

The recognition system described may also be extended to controllingaccess by personnel to offices/businesses or, in general, to areasprohibited to unauthorised persons (in which case the service deliveredis represented, by extension, by permission to access).

The portable user terminal, equipped with a device for reading biometricdata and “one-time” password generating software may advantageously beused to control access by personnel as a replacement for the commonvalidation cards. The combination of the functions of biometricrecognition and single-use password generation means that identificationof the card's authorised holder is absolutely unambiguous.

More generally, the combination of the characteristics of biometricidentification of the terminal holder and the fact that the passwordsPWD are dependent in an unambiguous manner different for each user, onthe entire history of the connections between the user and the server,makes the system suitable for fingerprint identification of persons. Thefact that the history of the connections is unique to a given subjectidentified by his fingerprint, that the individual passwords aredependent on the whole history of the previous connections and that thedata relating to the connections are retained on the server means that aparty cannot deny the access to the server. On the other hand, he candemonstrate that he was not involved in any access which may haveoccurred unknown to him, since the portable terminal generating thepasswords retains a memory of the data relating to a predeterminednumber of the latest connections.

The examples described are only some of the possible areas ofapplication of the method and the system according to the invention, thenumber of services in which a user must be identified with absolutecertainty being very large.

It is pointed out that the applications of e-banking, e-commerce, cashmachines, payments to approved businesses in the first method and accessto protected sites and e-mail servers all require the use of the sameunique user terminal, with a single or various smart cards according toindividual requirements. On the other hand, the applications of paymentsto approved businesses in the second method and of mobile banking alsorequire the use of any telephone (for example a cellular terminal) ofthe type long available on the market and therefore without any additionof non-standard hardware.

Advantageously, it is possible to provide a telephone (fixed or mobile)arranged to read the particular type of smart card provided by themanager of the service which it is wished to use.

CONSIDERATIONS REGARDING THE SECURITY OF THE PROCEDURE AND OF THE SYSTEMACCORDING TO THE INVENTION

Below, some examples and considerations are given to assist inunderstanding how the system disclosed by the invention is intrinsicallysecure.

First of all, definitions are given of some quantities useful for thediscussion which follows:

l=length of the string N30;

m=number of characters in the string N30 which are omitted in theprocedure for generating the password PWD (clearly m<1);

s=number of possible values (alphanumeric) which the characters of 1 canassume;

k=number of data sent over the network (PWD+RND).

For the sake of simplicity, it is assumed that all the informationrelating to the connection is exchanged “in clear” between the user Cand the server S, and that an attempt is made to decipher the algorithmfor generating the single-use password.

The following will be sent over the communications network for eachconnection:

-   -   a PIN;    -   a random number generated by the server (RND); and    -   a single-use password (PWD).

Therefore, on the most favourable assumptions for a hacker, the latteris capable of identifying the user being connected, part of the inputdata (RND) and the output (PWD) of the procedure.

The question now is to try to understand what actions might be taken toattempt to reconstruct the procedure and its algorithms.

For this purpose we may consider three cases, a first highly simplifiedcase, a second simplified case, but closer to the actual case, andfinally the actual case.

To enable numerical estimates to be made, an assessment is made of thenumber of data (PWD+related RND) which a hacker may succeed incollecting in a finite (but long) time as follows: considering a userwho is connected on average ten times a day for about 30 years, thetotal number of connections will be around 100,000. In the second andthird cases, this number is not essential for the subsequentconsiderations, and in practice k may be as large as desired withoutaltering the substance of the conclusions given.

1) First Case: 1=10, m=0, s=10 (0, . . . ,9), k=10⁵

This is a highly simplified case which does not contain the mechanism ofloss of information characteristic of the invention. It is useful forthe purpose of estimating the difficulty of the action of a hacker inthe most optimistic case imaginable.

It is assumed that the output strings, indicated here by the term N10and coinciding in this case (there is no loss of information) with thePWDs, have a length l=10 and that the presumed hacker collects a numberk=10⁵ of these together with the related input data (which coincide inthis case with RND, since dynamic input variables are not considered).

It is possible to carry out a numerical experiment to check directly thepossible action of the hacker, and for this by way of example a simplealgorithm ALGN10 generating the string N10 is chosen, based on thecalculation of the sine of the input variable (multiplied by a constanta), that is:N10=Sin [a RND]

Thus, various input files have been generated and the output file (PWD)produced has been interpolated using the commercially available softwareMATHEMATICA®. In the majority of cases, the interpolating functionobtained from the software did not succeed in predicting a new outputvalue (outside the range of input values introduced). This also meansthat in some cases the prediction had positive results, that is that inthis highly simplified case there is a finite probability of predictinga subsequent value of an output password outside the range of thoseinterpolated.

It will be clear to a person skilled in the art that, in this case, theaccuracy of the interpolation depends on the number of data available,so that theoretically a hacker will always be able to decipher thealgorithm (even if this takes an extremely long time).

2) Second Case: s=10, 10>m>0, 1=10, k=10⁵

This case, also simplified, presents the loss of information mechanismcharacteristic of the invention.

It is assumed that the presumed hacker is still capable of interceptingk=10⁵ data and that the input information (RND) contains noindeterminacy. The difference compared with the previous case is thatnow the output strings (N10) do not coincide with the passwords PWDwhich are intercepted by the hacker. Therefore the hacker must nowreconstruct the algorithm (the entire procedure) starting from anincomplete set of data (PWD, RND).

A specific case is now considered in which m=1, so that in a manner notknown to the hacker (since it depends on a dynamic variable which is inno way passed over the network) a character of the string N10 iseliminated.

Thus PWD will be a string of nine characters (more precisely of ninefigures if s=0, . . . ,9) and the hacker has available ten differentpossibilities for N10, for each position of the missing character (it isalso assumed that the hacker knows that N10 is composed of tenfigures!). It is clear that the number of possible combinationsincreases enormously when the number of the data collected is increased.

In the general case, assuming that the figures unknown to the hacker arem, there will be s^(m) possibilities for each PWD to reconstruct N10, inthe case where the positions of the missing figures (and the number ofthese) are known. In the case where the positions are not known, thisnumber has to be multiplied by the possible arrangements of m items overk positions, that is for a binomial coefficient $\begin{pmatrix}k \\m\end{pmatrix}.$

The number of possible N10s differing from each other will be betweens^(m) and ${\begin{pmatrix}k \\m\end{pmatrix}s^{m}},$because of possible repetitions in the combinations.

The case is now considered (in the hacker's favour) where the usefulcombinations are only s^(m): then, for a number k of data (RND, PWD),the possible combinations (RND, N10) will be s^(mk).

In the simplest case (m=1), the number is 10¹⁰⁰⁰⁰⁰ data files on whichto carry out interpolations (for each of them!). Assuming also that thepresumed hacker possesses a machine with infinite computing power, hewould be able to analyse the data and from them extract variousinterpolating functions using more or less sophisticated methods (forexample he might exclude those which have large discontinuities). Inevery case, whatever the criterion adopted, there would still be a verylarge number of data which supply absolutely plausible functions and thechoice between these would be dictated only by chance.

The probability of guessing the correct function from among these wouldbe less than or at least comparable with that of guessing at random thecorrect password PWD (one possibility in 10¹⁰ in this case, for a PWDcomposed of 9 figures!).

3) Third Case: Actual Case

With reference to the second case, the realistic situation in which ahacker might expect to operate would have the following differences:

the length of the string (N30) is appreciably greater than that used inthe previous example (N10), as well as possibly being dependent upon thedynamic variables, and is not known to the hacker;

alphanumeric characters are used so that s is approximately equal to 30;

m is equal to at least 15 (in the case of N30);

for every PWD produced the order and the positions in which the figureswhich compose it are selected (starting from N30), and also the numberof these, may be different, as a function of the dynamic variables; thisinvolves a major difference compared with the previous case in which itwas assumed that the figures composing the PWD would remain in the sameorder in which they were in N10;

N30 in general is in turn a function of the dynamic variables; from thisit follows that RND does not represent all the input data and thecorrelation between input and output (RND, PWD) for the hacker becomesminimal;

the possibility of resetting or in any case changing one or more dynamicvariables by means of the JOLLY procedure eliminates any possibility ofdiscovering a correlation with these hidden variables;

all the information exchanged between the user and the server does notnecessarily have to be sent in clear, since it can be encrypted withoutinterfering with the whole process.

In conclusion, from the considerations set out it can be easilyunderstood how the loss of information contained in the method ofidentification disclosed by the invention is essential and can in no waybe recovered by any unauthorised external operator.

Naturally, the principle of the invention remaining the same, theembodiments and details of implementation may be varied widely withrespect to what has been described and illustrated purely by way ofnon-limiting example, without thereby departing from the scope of theprotection defined by the appended claims.

1. A method for the identification of a party authorized to have thebenefit of a service delivered by a provider party via a telematicsnetwork, in which said provider party is connected to the network bymeans of an electronic communications and processing system (S) capableof managing a procedure for identification of user parties authorized tooperate with the provider, each user party being able to connect to thenetwork by means of a respective electronic communications andprocessing system (C), and in which the provider party requests atemporary password (PWD) identifying the user party to allow the useraccess to the services delivered, characterized in that: upon request bythe user party, one of said communications and processing systems (S; C)of the user party or of the provider party generates a random number(RND) by means of a predetermined algorithm for generating randomnumbers (ALGRND), and communicates said number (RND) to the other partyvia the network; in that it involves autonomous execution of a procedurefor calculating the password (PWD) at the processing systems (S, C) ofboth parties on the basis of predetermined common algorithms, saidcalculating procedure comprising the operations of: generating a firststring of characters (N30) by means of a first algorithm (ALGN30), onthe basis of said random number (RND) and of a hidden dynamic variable(n; p) not transmitted over the network, but obtained from saidprocessing systems (S, C) independently; extracting a second string ofcharacters (N3), a subset of said first string (N30), by means of asecond algorithm (ALGN3), as a function of said hidden dynamic variable(n; p) and of said random number (RND); and generating the temporarypassword (PWD) by means of a third algorithm (ALGPWD), on the basis ofsaid second string of characters (N3), and in that identification of theauthorized party takes place following the transmission to theprocessing system (S) of the provider party, of the password (PWD)calculated by the processing system (C) of the user party, and throughsubsequent comparison with the password (PWD) calculated by theprocessing system (S) of the provider party, so that access to theservice is permitted if such comparison gives a positive result, and isotherwise denied.
 2. A method according to claim 1, characterized inthat said hidden dynamic variable (n) indicates the number ofconnections between the user party and the provider party which havepreviously taken place.
 3. A method according to claim 2, characterizedin that the processing system (C) of the user party updates said dynamicvariable (n) by increasing by one or more units the value known to itsubsequent to generation of the temporary pass-word (PWD).
 4. A methodaccording to claim 2, characterized in that the processing system (S) ofthe provider party updates said dynamic variable (n) by increasing byone or more units the value known to it subsequent to an operation ofcomparison between passwords (PWD) with a positive result.
 5. A methodaccording to claim 1, characterized in that said hidden dynamic variable(n) is a function of the number of connections between the user partyand the provider party which have occurred previously and of said randomnumber (RND).
 6. A method according to claim 1, characterized in thatsaid hidden dynamic variable (n; p) can be altered at the re-quest ofthe user party via an initializing procedure.
 7. A method according toclaim 1, characterized in that said hidden dynamic variable (n; p) canbe altered at the re-quest of the provider party via an initializingprocedure started subsequent to an operation of comparison betweenpasswords (PWD, PWD′) with a negative outcome.
 8. A method according toclaim 1, characterized in that the generation of the temporary password(PWD) by means of said third algorithm (ALGPWD) is also conducted as afunction of said hidden dynamic variable (n; p).
 9. A method accordingto claim 1, characterized in that, upon a request for connection by auser party, the processing system (S) of the provider party requestsfrom said user party an identification string (PIN) as a function ofwhich to select one or more predetermined static variables.
 10. A methodaccording to claim 9, characterized in that said identification string(PIN) makes it possible to choose data (DEVID) relating to theprocessing system (C) of the user party and data predetermined by theuser when activating the service.
 11. A method according to claim 9,characterized in that it comprises the operation of checking thevalidity of the identification string (PIN) at the processing system (S)of the provider party, and in case of a negative outcome, access to theservice is denied.
 12. A method according to claim 9, characterized inthat the generation of the first string of characters (N30) by means ofsaid first algorithm (ALGN30) is also conducted on the basis of saidstatic variables.
 13. A method according to claim 1, characterized inthat the number of characters of said first string of characters (N30)is determined as a function of said hidden dynamic variable (n; p) andof said random number (RND).
 14. A method according to claim 1,characterized in that said second string of characters (N3) has a numberof characters less than half the number of characters of said firststring (N30).
 15. A method according to claim 14, characterized in thatthe order of the characters forming said second string (N3) is differentfrom the order in which they are presented in the first string (N30),their positions being dependent upon said dynamic variable (n; p) andsaid random number (RND).
 16. A method according to claim 6,characterized in that said initializing procedure comprises thetransmission to the processing system (S) of the provider party of aninitializing string (JLY_(p)) selected by the processing system (C) ofthe user party from an initializing table previously storedindependently in both systems (S, C).
 17. A method according to claim16, characterized in that said initializing table comprises two sets,respectively a first set including a plurality of strings of characters(JLY_(k)) and a second set including a plurality of integer numbers (p)in one-to-one correspondence with the strings of characters (JLY_(k)) ofthe first set.
 18. A method according to claim 17, characterized in thatsaid second set does not comprise consecutive numbers.
 19. A methodaccording to claim 17, characterized in that the initializing procedurecomprises the steps of: selection by the processing system (C) of theuser party of the string of characters (JLY_(p)) corresponding to thesmallest integer number (p) greater than the current value (n+1) of thedynamic variable stored by the system (C); transmission of said string(JLY_(p)) to the processing system (S) of the provider party as aninitializing string; selection by the processing system (S) of theprovider party, of the integer number (p) in the relevant initializingtable, corresponding to the string of characters received (JLY_(p)); andreplacement of the current value of the dynamic variable (n+1; n) withthe value of said integer number (p) in both processing systems (C, S)of the user party and the provider party.
 20. A method according toclaim 1, characterized in that said first, second and third commonalgorithms (ALGN30, ALGN3, ALGPWD) may be personalized to the userparty.
 21. A method according to claim 1, characterized in that saidpasswords (PWD) calculated autonomously by the processing systems (C, S)of the user party and of the provider party are supplied as keys to apredetermined algorithm for encryption of the subsequent communicationsbetween said parties.
 22. A system for the identification of a partyauthorized to have the benefit of a service delivered by a providerparty via a telematics network, for example to allow access to servicesof e-banking, e-commerce, withdrawal of cash or commercial transactions,access to protected web sites and to shared resources for the managementof electronic mail, access to controlled areas, wherein: said providerparty is connected to the network by means of an electroniccommunications and processing system (S) capable of managing a procedurefor identifying user parties authorized to operate with the provider,each user party is able to connect to the network by means of arespective electronic communications and processing system (C), and theprovider party requests a temporary password (PWD) identifying the partyrequesting authorization to allow access to the services delivered,characterized in that the communications and processing systems (C, S)of said user party and provider party are arranged to carry out a methodof identification according to claim
 1. 23. A system according to claim22, characterized in that said processing system (C) of the user partycomprises an electronic processing, storage and communications terminaland a programmable electronic personalizing module which can be linkedto said terminal.
 24. A system according to claim 23, characterized inthat said personalizing module comprises a removable microprocessorcard.
 25. A system according to claim 23, characterized in that saidpersonalizing module includes at least one rewritable non-volatilememory unit, storing a dynamic variable (n; p) indicating the number ofconnections between the user party and the provider party which havetaken place previously and an initializing table.
 26. A system accordingto claim 25, characterized in that said initializing table comprises twosets, respectively a first set including a plurality of strings ofcharacters (JLY_(k)) and a second set including a plurality of integernumbers (p) in one-to-one correspondence with the strings of characters(JLY_(k)) of the first set.
 27. A method according to claim 26,characterized in that said second set does not comprise consecutivenumbers.
 28. A system according to claim 23, characterized in that saidterminal comprises at least one non-volatile memory unit storing dataidentifying the terminal and/or the user party.
 29. A system accordingto claim 25, characterized in that said at least one memory unit of thepersonalizing module stores card identification data and the algorithmsnecessary to execute the method of identification by the terminal.
 30. Asystem according to claim 29, characterized in that said processingterminal of the user comprises an electronic card reading device and aprocessing unit capable of executing the programs stored on the card.31. A system according to claim 23, characterized in that said terminalcan be incorporated in an interface device to a telematics network. 32.A system according to claim 31, in which said terminal can beincorporated in a telephone.
 33. A system according to claim 31, inwhich said terminal can be incorporated in a palm-top computer.
 34. Asystem according to claim 24, characterized in that said terminal iscapable of receiving several cards and has means for selecting the cardto be used.
 35. A system according to claims 23, characterized in thatsaid terminal comprises display means for the presentation of thepasswords generated and a keypad for selection, setting and control. 36.A system according to claim 35, characterized in that said keypadcomprises keys marked with characters for inputting the data requestedin the identification procedure and at least one push-button to activatea procedure for initializing the system.
 37. A system according to claim23, characterized in that said terminal comprises a voice recognitiondevice and a device for emitting audio messages.
 38. A system accordingto claim 23, characterized in that said terminal comprises a device forreading biometric data of the user party.
 39. A system according toclaim 23, characterized in that said terminal is further provided with acommunications port enabling it to be connected directly to an interfacedevice to a telematics network.